Skip to main content
OCC Flag

An official website of the United States government

Cybersecurity Supervision Work Program References

The Cybersecurity Supervision Work Program (CSW) provides high-level examination procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. Users can filter and search for procedures by using the CSW Cross-References table on this page. The procedures are cross-referenced to common industry cybersecurity frameworks. Learn more about the OCC’s cybersecurity supervision.

The CSW is a component of the OCC’s risk-based bank information technology supervision process. The CSW sets no new regulatory expectations, and national banks and federal savings associations are not expected to use this work program to assess cybersecurity preparedness.


CSW Cross-References

Use the filters below to see a table of CSW procedures and the cross-references or click search without applying filters to view all data. Learn more about CSW Cross-References.


More Information About CSW Cross-References 

The CSW Cross-References table above offers several columns of information. Select the sections below to learn more about what is displayed under each column.

The CSW is structured according to the five National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) functions’ 23 categories. The OCC developed an additional function, Specialty Areas, to address areas of risk that support OCC cybersecurity assessments, where applicable.

The figure below shows how NIST aligns the categories under each function. The OCC developed Specialty Areas that are not included in this figure.

The CSW does not include NIST-CSF subcategories that are addressed as part of other examination programs or subcategories that do not apply to the OCC bank information technology supervision process.

The unique ID identifies the procedure and its hierarchy. Unique IDs are structured using a hierarchy of NIST-CSF functions, categories, and subcategories. The OCC added two characters at the end to designate the specific procedure. See the figure pictured below.

Unique ID

During supervisory activities, examiners use the procedures to guide their reviews and evaluations of cybersecurity preparedness.

OCC Resources, FFIEC IT Examination Handbook InfoBase, Industry Frameworks

The table provides cross-references that map CSW procedures to existing supervisory guidance and industry frameworks. The cross-references are provided for informational purposes only; inclusion of products, processes, services, manufacturers, or companies in the CSW is not indicative of an OCC endorsement.

  • OCC Resources
    • OCC Bulletins
      • Each bulletin listed in the table will have a hyperlink to the applicable attachment or bulletin transmittal. If necessary, scroll to the page indicated or search for the applicable text.
    • OCC Comptroller’s Handbook: Community Bank Supervision
      • To find the associated procedures in the “Community Bank Supervision” booklet of the Comptroller’s Handbook, navigate to Core Assessment > Information Technology > Other Assessment Objectives. Then search for the Objective and Procedure listed in the table.
  • FFIEC IT Examination Handbook InfoBase
    • Each booklet listed will have bullets with hyperlinks.
      • The characters (e.g., II.C.5) refer to the listed booklet’s table of contents. The hyperlink will lead to the specific section of the narrative.
      • Appendix A references link to Examination Procedures in the corresponding booklet. Scroll to the Objective and Procedure listed in the table.
  • Industry Frameworks
    • Center for Internet Security’s (CIS) Critical Cybersecurity Controls
      • CIS requires registration to access the controls. The associated text can be found by searching for the identifier listed in the table.
    • Cyber Risk Institute’s (CRI) Profile
      • CRI requires registration to access the Profile content. The associated text can be found by searching for the identifier listed in the table.
    • FFIEC Cybersecurity Assessment Tool (CAT)
      • The hyperlink will open the PDF version of the tool. (If prompted, respond to the CAPTCHA).
      • Each declarative statement in the CAT has a unique identifier that comprises the Domain, Assessment Factor, Component, Maturity Level, and statement number. Each portion is separated by a period. To find the declarative statement, scroll to the domain number and the related assessment factor. For example, “D1.G.Ov.B.1” refers to Domain: 1, Assessment Factor: Governance, Component: Oversight, Maturity Level: Baseline, and statement 1.
      • For a table listing, go to page 111 of Explanation of Cybersecurity Assessment Tool References (if prompted, respond to the CAPTCHA).
  • NIST Special Publication 800-53, Revision 5
    • The hyperlink goes to a PDF version of the controls catalog. The associated text can be found by searching for the identifier listed in the table.